Firewall restricting uplads from a particular .doc MS Word file

  • Resolved barnez

    (@pidengmor)


    9 years, 4 months ago

    Hi,
    I’ve just had a client struggle to upload a Microsoft Word .doc file through my contact form (Contact Form 7). The file extension is allowed in Contact Form 7, and uploads are allowed in the Ninja Firewall. What I am seeing in the firewall log are attempts to upload a script:

    28/Jul/15 15:15:58  #5572584  critical     -  xxx.xxx.xx.xxx   POST /index.php - Attempt to upload a script - [Kowalski_MSWI_BA.doc, 2,573,312 bytes]

    When I try with other .doc file extensions the uploads are allowed, and so NF is only detecting something suspicious with this file. When I scan the file with my AV and the online virustotal scanner, no threats are found.

    This is the first time I have had what seems to be a false positive with the Allow Uploads >> Allow, but block scripts, ELF and system files.

    https://www.ads-software.com/plugins/ninjafirewall/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter barnez

    (@pidengmor)

    One clue could be that this is a scientific document where each row of text has a individual number assigned to the left hand margin, increasing incrementally 1, 2, 3 >> 658, 659, 660. Could this be flagging up as hidden code by the firewall?

    Plugin Author nintechnet

    (@nintechnet)

    Hi,

    Although .DOC is a binary file, it may contain some bytes that, translated into ASCII characters, could match a specific string detected by the firewall. For instance, the byte sequence 0x3C3F706870 would match ‘<?php’. A bit unusual, but possible.

    Thread Starter barnez

    (@pidengmor)

    Hi,

    As a test I removed all the text from the document and then reproduced the empty line numbered sequence from 1 to 660. This uploads without any issues. So, perhaps you are right and this is just a random case where the byte sequence unintentionally translates into something that could be malicious. I’ll keep an eye on this.

    Many thanks for the response.

    Thread Starter barnez

    (@pidengmor)

    Marking this as resolved.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Firewall restricting uplads from a particular .doc MS Word file’ is closed to new replies.